Improvements on Security Evaluation of AES against Differential Bias Attack

Haruhisa KOSUGE  Hidema TANAKA  

IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences   Vol.E100-A   No.11   pp.2398-2407
Publication Date: 2017/11/01
Online ISSN: 1745-1337
DOI: 10.1587/transfun.E100.A.2398
Type of Manuscript: PAPER
Category: Cryptography and Information Security
block cipher,  side-channel attack,  formal security analysis,  leakage model,  AES,  differential bias attack,  key enumeration,  rank estimation,  

Full Text: PDF(620.4KB)
>>Buy this Article

In ASIACRYPT2015, a new model for the analysis of block cipher against side-channel attack and a dedicated attack, differential bias attack, were proposed by Bogdanov et al. The model assumes an adversary who has leaked values whose positions are unknown and randomly chosen from internal states (random leakage model). This paper improves the security analysis on AES under the random leakage model. In the previous method, the adversary requires at least 234 chosen plaintexts; therefore, it is hard to recover a secret key with a small number of data. To consider the security against the adversary given a small number of data, we reestimate complexity. We propose another hypothesis-testing method which can minimize the number of required data. The proposed method requires time complexity more than t>260 because of time-data tradeoff, and some attacks are tractable under t≤280. Therefore, the attack is a threat for the long-term security though it is not for the short-term security. In addition, we apply key enumeration to the differential bias attack and propose two evaluation methods, information-theoretic evaluation and experimental one with rank estimation. From the evaluations on AES, we show that the attack is a practical threat for the long-term security.